Small and medium-sized businesses (SMBs) have historically assumed they’re too insignificant for threat actors to bother about. This is an increasingly dangerous assumption. The latest government figures suggest that 58% of small businesses and 70% of their mid-sized counterparts were hit by a breach or cyber-attack over the past year. Many more may have been compromised but not found out yet.
Yet this doesn’t mean it’s game over for the UK’s SMBs. They may be shorter on cash and resources, but there are plenty of options out there – most notably the growing number of channel businesses now specializing in managed security services (MSSPs). The key will be finding the right one.
Channel Director for the UK at Trend Micro.
Misconceptions and misjudgment
SMB security strategy is often informed by a common set of misconceptions about the threat landscape. The first is that their data is not valuable to hackers. In fact, there are various ways that threat actors are targeting and monetizing data held by smaller organizations. Ransomware groups regularly exfiltrate IP and customer/employee information to sell on the dark web and use as leverage to extort their victims. Research reveals that in Q1 2024, nearly a third (31%) of corporate ransomware victims were businesses of under 100 employees, and three-quarters (74%) had under 1,000.
Threat actors might also target SMBs in specific industries such as legal, for the highly sensitive data they hold on clients. Or breach a smaller firm in a stepping stone attack, to reach a higher value customer or partner. The threat comes not just from financially motivated cyber-criminals but also nation state operatives. The result? UK SMBs recorded a 37% increase in cyber-threat alerts in 2023 versus 2022. And nearly four in 10 lost data.
SMB owners might also mistakenly assume that insider threats are something that happen to larger organizations. They’d be wrong to do so. Nearly a third (30%) of UK SMBs lost data due to user error in the past 12 months, and 27% due to disgruntled employees. The problem with user negligence and error is compounded by a lack of regular security awareness training. According to the government, just 30% of small and 52% of medium businesses have run sessions in the past 12 months.
Beyond AV
Another common misconception is that simple endpoint AV is enough to protect the modern SMB. In fact, the cybercrime underground is an increasingly sophisticated place, with packaged service offerings giving would-be hackers all the tools they need to carry out large-scale phishing and ransomware campaigns, bypass multi-factor authentication, launch brute-force attacks, and more. There’s a never-ending pipeline of stolen credentials making their way onto underground markets, to fuel account takeover. And specialist initial access brokers (IABs) sell readymade access to corporate networks.
All of which means SMBs need defense in depth that covers all layers of their IT infrastructure – from the email inbox and endpoint to networks, identity systems and cloud environments. They need not only protection tools to block as many threats as possible, but also detection and response to spot and contain threats that do sneak through defenses. And they need to manage risk across extended supply chains.
Unfortunately, as the government breaches survey reveals, adoption of such tools and approaches still isn’t where it should be. Supply chain security was adopted by just 29% of mid-sized UK firms last year, while incident management (69%) and vulnerability management (59%) should also ideally be higher.
Choosing the right partner
One final misconception potentially impacting SMB security is that a small generalist IT team can handle everything on its own. The truth is that, as long as threat levels remain elevated, and small businesses keep investing in digital systems to become more agile and competitive, they will need help with cybersecurity. The challenge for those with fewer resources, at a time of pronounced global skills shortages, is finding the right talent.
This is where the IT channel comes into its own. The market is full of MSPs and MSSPs which can help smaller firms bridge skills and capability gaps with value-add services. In fact, it’s a fast-growing global market. By one estimate, SME cybersecurity will be worth $90bn by 2025, with managed security services comprising one-third. But more options arguably makes finding the right partner even harder.
SMBs should carefully consider their requirements and budget before assessing the market. As always, it pays to stick to reputable providers with good client testimonials. It may pay to talk to their client base proactively rather than reading references handed over by the MSSP. A prospective provider should also have solid partnerships with reputable security vendors.
Managed detection and response (MDR) is an increasingly popular option, and with good reason. It offers proactive detection and response to spot and contain threats before they have an opportunity to cause any damage. All the heavy lifting is done either by the vendor or MSSP – enabling SMBs to benefit from enterprise-grade security operations (SecOps) capabilities without paying enterprise prices. Look for vendor partnerships underpinned by global threat intelligence, meaning zero-day vulnerabilities can be patched rapidly before anyone else.
Today’s SMBs are firmly in the crosshairs of global threat actors. But help is at hand, if they know where to look.
We've featured the best small business server.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
